Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Exactly, that is what I don't understand. I have to use a Mac at work, but I've never tried Time Machine since I use rsync on everything - even Windows machines. But in any case, if TM "backs up" your data, you end up with your original data + a backup with the point being you can lose one of the two and still have your data. So what happened here? He lost his backup, then what about his original data? How did he lose all his work when only the backup is gone?Also, he probably messed things up by killing pr

Exactly, that is what I don't understand. I have to use a Mac at work, but I've never tried Time Machine since I use rsync on everything

That's why you don't understand. Time Machine keeps historical data around, so you can have say a laptop with a 250 GB drive, a 2 TB backup drive, and everything that was ever on your laptop drive will be on your backup drive. Like the OP said: 19 months of historical data. Time Machine is basically backup for the current state, plus history.

If you need that historical data, it should be kept on some kind of permanent storage, which is backed up. Relying on old backups to keep it around after you deleted it is not a valid approach, any more than filing your old records in the trashcan is.

Hmm... So it would be a bit like me using rsync without the --delete option so that data that gets deleted is not erased from the backup and then I go and ERASE data that I NEED from my working copy, since, you know, it is "backed up" ???Hate to break it to the OP if that is the case, but keeping a single copy of your data cannot be called "backup" in any way. The whole situation sounds idiotic, as a historical backup that can get corrupted in various ways used as your single data store is LESS safe than no

Yes, I get it, I was using Amanda over a decade ago. And it is exactly the reason I said it is more liable to corruption than just having your files somewhere. So it provides more functionality than just a backup copy PROVIDED THAT you don't go deleting your original files - otherwise you have the extra historical functionality but at a great risk.

That is what *I* am saying. The way OP is using it, it is like a repository, he can't claim "his backup is deleted" when he is using a backup tool as a repository.Oh, because Time Machine apparently is not supposed to be something like svn/git. According to apple:

Time Machine will automatically back up your entire Mac, including system files, applications, accounts, preferences, music, photos, movies, and documents. But what makes Time Machine different from other backup applications is that it not only keeps a spare copy of every file, it remembers how your system looked on a given day — so you can revisit your Mac as it appeared in the past.

Note the "spare copy" - you are not meant to delete files you need from your working directories.

That's all well and good as long as you notice it deleted your backups before your hard drive crashes. And it assumes that you don't realize the next day that you need to revert some file to a previous version, or you deleted some file by mistake 4 weeks ago that you really needed.

Backups are there to protect against the unexpected, so while these might be low probability events, they are exactly what your backups are there for.

He says that it was "irreplacable data". The whole point of a backup is that the data is trivially replacable, because it has been duplicated. I suspect his backup routine is rather like this one [penny-arcade.com].

He says that it was "irreplacable data". The whole point of a backup is that the data is trivially replacable, because it has been duplicated. I suspect his backup routine is rather like this one [penny-arcade.com].

You really don't get it do you? Time machine is not just a backup, it is a lot like a repository such as SVN. It lets you find a previous revision of a file or project and save it out somewhere else to do a comparison or undo changes you decide that you don't want. It is an incremental backup.

Except that it's designed so that older backups eventually expire, depending on usage. There is a finite limit to what it can store and using it as long term storage is a bad idea.

That is all very interesting but the same thing eventually happens to source repositories since storage space is finite and performance of a repository decreases over time if you don't archive once in a while.

For all intents and purposes, it is unlimited from a consumer perspective since you are not going to want to go back more than a year anyway and it is a good idea to have a time machine backup drive that is considerably larger than your system directories + home folders.

With a little sophostry installed from Sophos, backups are a thing of the past. You will now never lose a file either due to virus, trojan, or simple human error. Want to revert to how your essay looked 12 hour ago? You no longer need to! Sophos magically takes care of all errors and mistakes for you ahead of time, freeing you up to work effortlessly and error-free on your gorgeous Mac without the constant file churning that Time Machine used.

Compared to Norton, Symantec, and the other system-strangling solutions available for virus detection, Sophos is definitely the leading provider. When I was at college (10 years ago), their software scanned everything coming in and going out, and yet hardly slowed the systems down at all (yes, if you had a local machine Admin account you could end the process and prove this!)

Sophos DID hardly slow the systems down at all, it maxed out 1% CPU time most of the time, and flagged "dodgy" executables as they landed in the network share, before allowing Windows even to load icons from them. I realising I'm biting YET ANOTHER troll, but what else is there that one can do to fight bullshit and misinformation? Anybody else got experience using Sophos in an NT4 Workstation / Server environment "back in the day" wanna back me up?

Yep. It used to work acceptably well. As in the CPU use was justified. It wouldn't catch everything but it also wouldn't require a dedicated box just to handle email and filesystem scanning. That said, it is hardly sufficient these days and I haven't used it in years. We run active scanning on client machines and lock them down with group policy, then they roll back to disk images on reboot. We block problematic file extensions from email (with the exception of pdfs and documents) and run everything throug

Yes, but I was actually illustrating that Sophos has a very long history of writing quality bug-free software for mission-critical environments, like Governments, Educational Institutions, and large corporations.

The chances of their software not functioning as intended and screwing up systems or backups are far smaller than their lesser counterparts, Symantec et al, and the whole article smells of Troll Fat.

After looking through the article, while the user seems to have erred in taking Sophos and Time Machine both at their word -- I need to re-read the part he was talking about VMs, something there didn't sound right but I'm not sure what -- and been a little too quick with the OK button, it does strike me as odd that Sophos didn't drop some kind of error when it tried to write to the backup file.

He tried to open a quarantined file, once with the 'cat' commandand once with vi, as root, and both times Sophos warned him andprevented him from proceeding. Now, the code for the 'cat'command is quite simple, it basically just does a open(2)of the file and then issues a series of read(2). My questionis: Does Sophos actually intercept the system calls in orderto make sure no application opens an infected file? If so,wouldn't that introduce a HUGE performance penalty on theeverything happening on the machine, since these system callsare so crucial?

What I've never understood, is why? Why not just check on writing; and reading on removable drives?

When virus definitions are updated, it is possible that a file that was written in the past is now considered infected. As well, the file could have been written to the disk without the antivirus software's knowledge (could have not been loaded, killed/crashed, etc).

Still, I agree with you that most of the time we have already scanned the darn file..

Mac extended attributes tell the OS when not to open a file. For example com.apple.quarentine get's tagged onto every file you download from the internet unless it's of a set of known safe file types. If you have os 10.6 try typing ls -loe@ in your downloads folder. When you edit a file the mac file system also tags it as changed so it knows it will need to back it up without having to go checksum compare every file like rsync checksums do. Thus it's perfectly possible that the virus software could int

Mac extended attributes tell the OS when not to open a file. For example com.apple.quarentine get's tagged onto every file you download from the internet unless it's of a set of known safe file types.

Yes, but it's not something that's done by intercepting system calls. The com.apple.quarantine attribute is only respected by apps like Finder which are specifically looking for it. If you just use something like 'cat' in a terminal window you can still view the file without getting the "ZOMG! This is from teh

Mac extended attributes tell the OS when not to open a file. For example com.apple.quarentine get's tagged onto every file you download from the internet unless it's of a set of known safe file types.

Yes, but it's not something that's done by intercepting system calls. The com.apple.quarantine attribute is only respected by apps like Finder which are specifically looking for it.

No this is not true. While the finder does a pop-up for these the system does check this attribute. You can see this for example when you launch code you compiled yourself, even from the bash command line. Look in the 10.6 OS system.log and behold there is a warning that the code is not signed. No finder involved; the finder is simply more vocal, but it's the system that is checking things.

I won't pretend to understand core coherency under Windows, but if they have one of those network traffic interceptors, conceivably every other thread in a multi-connection webpage load could get scheduled to a different core and get interleaved between scanning and transferring.

Probably smarter just to benchmark it than reason it out.

Or, if they do the standard corporate thing and keep RAM low and swap like mad, the second core can run the memory manager.;)

I think you misunderstood. More CPU cores won't make that application, or more correctly that thread, any faster per se. They will, however allow other threads to continue running while the first CPU core is tied up with CPU-intensive virus scanning.

***What do you suggest as an alternative? Remember, people have grown to expect real-time protection.***

Good question. In this case a disable network-virus scan-backup-re-enable network scheme without real-time protection might have worked better, but it is hardly bulletproof. It's a little late to point out that it would have been better to have alternating external backup drives -- more to protect against hardware failure than software issues. And that won't work if you don't know the backup drive has

"Time machine had backed up a virus, so Sophos killed the entire Time machine backup image to get rid of it."

Not quite what happened, according to the article.

Time machine had backed up a virus, so Sophos blocked the user from meddling with it and stated it could not automatically remove the virus. The user then attempted to work around both Sophos and Time machine and discovered that not only did he remove the virus, he corrupted his TM plist, which meant that it lost the record of what files belonged in

It's the media effect. If we invade another country and accidentally kill a few tens of thousands of civilians, and suffer hundreds of casualties, it won't be presented as effectively as the death of the single journalist who got shot in all of this.

Mess up a few hundred random computer dudes, and nobody may hear of it. Don't even in the slightest mess with a/. editor, or lots of people will know.

... Then this is a serious hit to Sophos as they have a very good reputation. Having said that, AFAIK this is their first Mac app. So perhaps it needed more QA before release. Until more reports of this phenomenon appear, I'd reserve judgment. However it might be wise for Sophos to get out front of this issue before the spin gets out of control.

It isn't their first Mac app. They've been selling it to businesses before now, but businesses don't generally use Time machine, and would never execute a deletion command using an antivirus on a backup archive while it was running. Not sure whether this is an OS bug, or a sophos bug, or whether if he had allowed the command to finish, it would have worked fine. (Maybe it was just taking a long time.)
--Sam

we've used the business side of it for over a year, major performance headaches...
as to the time machine part, if my memory serves, time machine creates one large file (like tar, but a lot more advanced) it saw the "virus" in the one large file, didn't differentiate that and deleted what it saw as the "file containing the bad stuff" now that he's written data to the drive he's lost any good chance at recovery... I guess we'll need a time machine time machine soon.

No, each time machine backup is a folder that mirrors the root of your hard drive. Each file is separate on the time machine drive. Space is shared for unchanged files and folders between backups using hard links.

Really, really - no. Time Machine backups are sparse bundles, which looks like a file unless you mount it as a volume. Just like those 'dmg' files you download to install an application. It's possible that you're using a really old version or have some options set to use a folder, but sparse bundles are the default on a new Snow Leopard backup schedule.

Actually, we might be both right - I've seen another post that suggests that TM uses folders on a directly connected drive, although I'm pretty sure that before I moved to a DIY Time Capsule (USB external connected to Airport Extreme) I still had sparse bundles. YMMV.

If your backup drive is a locally accessible drive, Time Machine stores your HD data to the backup drive as files, folders, and (I think) lots of hardlinks. That's how time machine is designed to work. You don't have direct file system access to a volume when you access it over a network, so Time Machine fakes it by creating a sparse bundle on the destination volume, mounts THAT as a 'local' hard drive, and chugs along.

Unless you're backing up a filevault protected home directory. Then it handles it in just about the stupidest way possible: it saves the whole honking encrypted image as one big file.* And despite the fact that it doesn't decrypt the image, it still only works if you're logged in and the image is open.

*If you're set up as sparse images, then you do a little better. But still, no incremental backups for you. If a file changes, you have to copy the *whole* thing, because good encryption won't make it obvious which bits of the file are different. Also, I'm not sure it can tell which files are, say, disk cache for the browser....

FYI, I'm not using filevault, just individual files to be backed up... but TM uses sparsebundles in ways I don't begin to understand. One respondent via Twitter suggested that Sophos may have simply been in the process of deleting the entire sparsebundle -- i.e. the entire lot of backups -- when I killed its process. No idea if this is correct. I hope Sophos eventually provides some insight.

Have you double checked to make sure that you can't still see the backup history using the native Time Machine browser app? In my experience with TM failure, one symptom included a sudden change in the amount of free/used space reported - not unlike your experience - see below for more details.

One of the reasons I switched to Mac was because I liked the Time Machine concept. I use a Seagate USB drive plugged into a Macbook Pro. A few weeks in, Time Machine reports that it is unable to complete a backup. Mul

You guys are explaining the behavior on 10.5, 10.6 is more intelligent about it.
FileVault home directories will get backup as sparesbundles instead of sparesdisks . The different is the former uses mutiple 8 meg files. Up date only cache, only the files that contain that data will be updated.

Unless you're backing up a filevault protected home directory. Then it handles it in just about the stupidest way possible: it saves the whole honking encrypted image as one big file.* And despite the fact that it doesn't decrypt the image, it still only works if you're logged in and the image is open.

*If you're set up as sparse images, then you do a little better. But still, no incremental backups for you. If a file changes, you have to copy the *whole* thing, because good encryption won't make it obvious

If it does it without decrypting the contents, then the user shouldn't need to actually be logged in in order to get the benefit of the backup. It should back them up if it's changed since the last backup regardless of whether the user is logged at the precise moment backup begins.

OR,

It could require the user to be logged in, because it needs access to the unencrypted files. Obviously, it would encrypt the backup itself. The benefit here would that a logged-in filevault user w

it's a sparse disk image bundle thingy. Which uses a bunch of 8MB files, not one file. from the hdiutil man page [apple.com]:

By default, UDSP images grow one megabyte at a time.
Introduced in 10.5, UDSB images use 8 MB band files
which grow as they are written to.. -imagekey
sparse-band-size=size can be used to specify the
number of 512-byte sectors that will be added each
time the image grows. Valid values for SPARSEBUNDLE
range from 2048 to 262144 sectors (1 MB to 128 MB).

The maximum size of a SPARSE image is 128 petabytes;
the maximum for SPARSEBUNDLE is just under 8
exabytes (2^63 - 512 bytes minus 1 byte). The
amount of data that can be stored in either type of
sparse image is additionally bounded by the filesys-
tem in the image and by any partition map. compact
can reclaim unused bands in sparse images backing
HFS+ filesystems. resize will only change the vir-
tual size of a sparse image. See also USING PERSIS-
TENT SPARSE IMAGES below.

TM had the privileges to stop Sophos fucking this guy's shit up. Sophos should probably have been aware of the existence of Time Machine and perhaps had a specific behavior or at least prompt for it (as TM comes with the OS IIRC - i'm not a mac guy and never use TM when i'm on one).

Blame Sophos. Sparse bundles are a key feature of the Apple filing system and really, really useful. Sophos should know all about them. This would be akin to a Linux AV that could look inside.tar.gz files but would nuke the whole archive if one file inside was questionable, without making that absoluely clear to the user.

Something must be broken then in your setup somewhere, because I use a Time Capsule, recently upgraded from 500GB to WD Green 2TB, and never had a single data loss/corruption issue. I'm using it with a MBP and an iMac, and have used it with OS X 10.5, and now 10.6. Not a single problem, apart from running out of room on the 500GB drive and having to upgrade.

Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.

So.. You are never allowed to download something and try it out, unless it's from a trusted source. Exactly how are normal people supposed to get their programs into said trusted sources? Should we perhaps have an "app store" for all software, putting a few large entities in control of what is acceptable or not?

I also enjoy your naive belief that virus can only spread by downloading and running infected code. This is not 1989. Comprimosed web pages, exploitng holes in browsers and browser add-ons, infected

I don't run active antivirus at all, the trick is never to touch the internet explorer browser. Another tip is don't download a bunch of pirated program and run them without scanning them first. I suggest malwarebytes [malwarebytes.org].

I also keep a copy of combofix [bleepingcomputer.com] on a usb drive just in case.

Also, don't ever accidentally subject yourself to zero-day exploits in your browser, which means never browse any valid website compromised by malware pushers without the knowledge or consent of the website owner.

In other words, connect your computer only to a fantasy Internet powered by the carbon-offsetting power of unicorn farts and good wishes.

Yes, the world is out to get you. Not you personally, of course; you're not that interesting. Just you as part of the entire gamut of possible malware victims. Th

My browser runs as a non-privileged user on a secure Unix system. The process itself doesn't have write permission on any executable file, not even itself.

That user is != to my actual user, so it won't even get to my docs or other information. It'll only affect my browser, which can write nowhere but it's own home directory. If something like that happened, restarting my browser and killing any process it might have spawn would be enough.

Not true. I use Free Software. I was a Slackware user for ages (version 3 through 12, then I switched to Ubuntu). I trust the community. I've never gotten malware into my machine. Security bugs? Sure. They were all promptly fixed.

So, don't say that something that has been a reality for 20 years isn't possible, you sound stupid.

AV on a UNIX machine is a bad idea in more ways than one.
By definition, AV programs go about deleting files. Obviously this can corrupt a system. So the risk of incurring virus damage must significantly outweigh the risk of incurring antivirus damage. On any UNIX system, it it is still best not to have AV.

Well, zerodays attacks can not be detected.And the only thing the AV will do is to scan for Windoze viruses, and Mac before it got the X in OS X.So its more or less completely useless, except for helping the poor mass of sheeps that should never be allowed to use a computer because of their stupidity.

The time machine stores the back up files on an external hard drive in a specific way such that can perform the backup task and the possible restore task effectively. In order to this to work noone should modify or delete any data stored in the backup location. This will most likely corrupt the backup.

The author of the article told Sophos AV to delete files from within the time machnien backup location... well, of course one can expect that it messes things up.

First, we get an article that consists of one idiot posting on a blog who openly admits that he clicked delete himself on the popup and thus caused the problem in the first place. If it had been a critical set of Windows backups, the same thing would have happened, or even the System Restore folders.

Then, I realise it's an article by kdawson who I have deliberately blocked because all their submissions have glaring errors and omissions or are nothing more than rumour, but they've handed it off to another p

kdawson complains about having lost nineteen months of 'mac life' but what was there to lose? These were backups. They weren't the only location of the files in question, and if there were files stored only in Time Machine, are you also one of those people that keep important files in the trash can?

I'm not saying there isn't a problem if Sophos deleted the backups, just that it isn't that big a deal.

The guys sounds like a complete douche and fanboi - drooling on about it being Unix, and having root, and having the 'cat' command. You bent over for Steve Jobs buddy, and not you're finding Macs are just computers too. Sorry for the loss of your innocence.

IMHO a backup of something important should be done with the simplest method possible. Put it on a medium (optical, HD,...) and put the medium in a cupboard to never touch anymore. Why trust a program of which you don't know exactly what it does and that can be influenced by other programs as turns out now?

If you're using Time Machine and you think it'll keep files you've deleted from your original drive around forever, you're mistaken. Time Machine focuses on staying current; if you run out of space on your Time Machine volume, it starts deleting old backups to make room for the new ones. It assumes that since you deleted it, you don't want it anymore. It'll keep it around for a while as a side effect of how it works and as a convenience, but it's not the priority.

Time Machine is too easy to use. Many users even use it for archiving deleted files or older versions of files. This is madness. A Backup is not an archive. As soon as you start to rely on parts of your backup as a source of data that is not elsewhere anymore you deserve everything that may happen to you. But you'll never get this into the brains of users. Give them a backup system that is easy to use and they will use it for letting it archive stuff.

I've added a comment from Sophos's Graham Cluley to the end of the blog post [recoveringphysicist.com]. He/they have been quite responsive, especially given that the free A-V product comes without official support. Apparently I am the only one ever to have reported such a problem with Time Machine.

It's a daemon that copies files that have changed in the last hour to an second hard drive. It's useful for casual development work, and the GUI client is intuitive. I've also used it to recover files after they've been over-wriiten by buggy programs. It's also come in handy for certain games-- if the autosaved game file from today is less interesting than the autosaved game file from yesterday, or two weeks ago, I can recover the older files.